The GDPR has an unprecedented scope of applicability, defined in sections 2 (Material Scope) and 3 (Territorial Scope) of the GDPR.
In terms of material scope, generally speaking, and leaving out some exclusions the GDPR sets forth (which we will discuss in another item), the GDPR applies to processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system. In terms of territorial scope, the GDPR applies in the following contexts:
• If the establishment of a controller or a processor is in the Union, regardless of whether the processing takes place in the Union or not.
• If the processing is of personal data of subjects who are in the Union (by a controller or processor not established in the Union), if the processing relates to (a) offering of goods or services to data subjects in the Union; (b) monitoring of behavior that takes place within the Union.
• Processing of personal data by a controller not established in the Union, but in a place where Member State law applies by virtue of public international law.
This means that the GDPR may apply to entities that are not established in the EU, nor have any establishment in the EU – if they monitor behavior of data subjects in the EU, or if they offer products and services to persons in the EU.
Note, that the GDPR does not mention whether it relates to residents of the EU, Citizens of the EU, or otherwise; it just states “subjects who are in the Union”.
The community of Privacy professionals is yet to learn, based on the case law to be evolved following the GDPR kick in, how this will be interpreted by the regulators, SAs (Supervisory Authorities) and the applicable courts.